Posted
by
samzenpus
on Thursday August 06, 2015 @09:03PM
from the give-me-the-stats dept.

Mark Wilson writes: We've already looked at the Stagefright vulnerability, discovered by Zimperium, and shown what can be done to deal with it. Affecting up to 95 percent of Android devices, the vulnerability has led to Google and Samsung announcing monthly security updates. Now the mobile security company has released additional details about how the exploit works. To help explain the vulnerability, a video has been produced which uses a Stagefright demonstration to illustrate it in action. Zimperium has also released an Android app that checks devices for the vulnerability.

A security vulnerability discussion on Slashdot that's over 30 minutes old and has no posts relevant to the content (including this one), and instead has three trolls, one reaction to a troll, and one comment on the fall of Slashdot.

It's not all that interesting. The severity of this vulnerability is low because since way back in the 2.0 days Android has had ASLR enabled by default in the kernel, which largely mitigates it.

Defensive security measures like ASLR do a lot to mitigate the severity of new exploits, which is why you don't see sudden mass infections the way you used to back in the XP days. Some people love to soil their pants every time some new "critical" exploit comes along, ranting like lunatics that Android/iOS/Windows is

Google should provide a tool which would allow users to update their phones themselves instead for having to wait for the manufacturer to do something if those ba$tard$ are willing to do anything at all...

That is not in their power. The unlock and flash tools are held by the makers of the chipset and/or the makers of the devices. So for example the tegra flash tools come from nvidia but the actual unlock tools come from the vendor, in my case Asus... and Asus made a crap unlock tool that tries to verify that you're using it on an original untampered device. It doesn't work on all the bootloader versions they ever shipped, either. Anyone who got the JB OTA update has only a mediocre shot at it working. Anyone

Can't they use Google Play Services to roll out a fix to the various files which make up Android? If not, shouldn't such a tool be part of the next fix they roll out? Is there some problem - security or other- to adding/changing/removing system files, assuming the operation/process is signed?

Can't they use Google Play Services to roll out a fix to the various files which make up Android?

In a word, no. The only reason Google can make so many updates by updating Google Play Services is that they have moved more and more of the core functionality into there. However, libstagefright is not part of that functionality, so they can't update it by updating Play.

For locked, unlockable devices, only the vendors realistically have the ability to produce a patch.

But why can't they update *everything* using it? If they can't, why can't they introduce such a feature? Microsoft can update everything on their patch-tuesdays updates. Why can't Google? Google knows how broken and hopeless the upgrade situation is with android. Fewer than 1% are on the latest version (5.1) and most are on a 2+ year old version. Can you imagine the response if Microsoft said only users of Windows 10 were going to get security fixes when everyone's on xp and 7?

I ran it too and what the app told me wasn't immediately useful. When I checked on Google Play, others had said the same. So I installed Lookout Security's Stagefright detector and it not only told me my devices were vulnerable, it also linked to helpful instructions to change my settings and avoid the problem.

This reveals whether a device is vulnerable, and indicates whether an OS update is needed.

Of course you're never going to get an OS update because your vendor isn't ever going to release one, they're too busy introducing a new model that obsoletes your two-month-old phone and whose main differentiator is that the power button is moved 1/200" to the left. Buy the new model, the problem may be patched. If not, try buying the next model that's coming out in three weeks.

From what I understand, Stagefright is a bug that can only be removed in one of two ways: either by an update from the manufacturer of your device, or rooting your device and manually removing the image viewer that Stagefright uses as a vector. There's really nothing an average (non-rooting) user can do to fix their devices but wait, and nothing they can really do to stop it happening to them short of turning their device off completely and preventing it from getting texts. Sure, it'll tell them that their device is vulnerable, but it's a case of "You're vulnerable to Stagefright and can do absolutely nothing about it short of rooting your device until your device manufacturer decides to release an update."

From what I understand, Stagefright is a bug that can only be removed in one of two ways: either by an update from the manufacturer of your device, or rooting your device and manually removing the image viewer that Stagefright uses as a vector. There's really nothing an average (non-rooting) user can do to fix their devices but wait, and nothing they can really do to stop it happening to them short of turning their device off completely and preventing it from getting texts. Sure, it'll tell them that their device is vulnerable, but it's a case of "You're vulnerable to Stagefright and can do absolutely nothing about it short of rooting your device until your device manufacturer decides to release an update."

You can disable packet data for the short term until you resolve the issue on your phone. this will make the phone usable (wifi only for data) and text messages still available, but will not use MMS as packet data is required for this.

Fortunately the bug isn't that bad. Because of ASLR and other defence mechanisms in place (as far back as V2.0) the damage it can do is fairly limited. Maybe a really slow, really expensive DOS attack, until you call up and ask your carrier to block MMS.

On a stock, non-rooted phone you can disable MMS [trendmicro.com] to provide some degree of protection from this particular exploit.

Although unconfirmed, there are several stagefright booleans [blogspot.com] in/system/build.prop on some phones. Setting them to false might provide some additional protection. Root and a reasonable text editor will be required (i.e., busybox vi), and you should be able to recover from a boot loop before attempting this modification.

until they take security seriously (which means backporting fixes to old os's in phones) this is worse then bullshit. its acting like a real fix when, in fact, its stil business as usual. phones will not get updates if the vendor wants to force you to re-re-rebuy yet another phone.

when there is a push to keep selling you things that you already have, you will NOT get software updates or support.

the model is broken by design. apple has it mostly right (although they also actively try to force upgrades on hardware by EOLing perfectly good and working hw) but android/google fucked the chicken, here. they decided to make a monolithic system out of the non-monolithic linux base and there's no fixing this broken-by-design idea. vendors are enjoying their wild-west view of things and anything goes! consumer protection is a thing that we used to have 20+ yrs ago, but no one cares about us anymore.

looking to google to help secure things? HA! samsung? DOUBLE HA!

both are jokes when it comes to software QUALITY. such a shame, too, that such rich companies don't give time or energy to things that truly are important to users.

No one takes security seriously anymore. Everyone's chasing features. End-users simply don't care because there are so many of them that it's impossible to dramatically affect enough of them to build a movement against shoddy software. Everyone knows of someone that had problems yet it's just considered a fact of life.

In the late nineties I dreamed of the smart home, the smart car, etc. I even played with X10 for awhile and had strongly considered integrating a computer into my car in a fashion that

I think they're being forced into this by mounting public/press pressure. They're going through the same discovery process that creators of PC software, browsers, and operating systems went through a decade ago (or more recently with Adobe and Oracle). If a company like Microsoft can get their shit together security-wise, then so can Google and other Android manufacturers. It just requires a fairly serious commitment. Whether this is real or marketing bullshit will become clear soon enough.

True, but I haven't seen updates pushed without my consent so far on my phone. Also, I suspect the chance of your phone being completely bricked by a security update is pretty low. You probably have a much better chance of accidentally dropping and breaking it.

Still, I do share your fears about mandatory updates. I think Microsoft's Windows 10 update policy for the consumer version is absolute lunacy. It makes sense from a security standpoint, but it's horrible in terms of stability/control for people w

How fucked would we be if PC users could buy PCs with Windows or OS X installed, but could only get security updates by downloading ISP-signed binaries from Comcast or AT&T's "official" repositories?

Yep, a good point. Apple was the only one with the clout to avoid that nonsense. It's too bad it didn't set a precedent that the rest of the industry followed. Honestly, I think I might be willing to overlook a little bit of collusion if the rest of the manufacturers got together and demanded the same autonomy.

Still, my feeling is that Samsung has probably coordinated with the carriers about more frequent security updates. I don't see any reason they would be resistant to the idea, since it's not all th

Yep, a good point. Apple was the only one with the clout to avoid that nonsense. It's too bad it didn't set a precedent that the rest of the industry followed. Honestly, I think I might be willing to overlook a little bit of collusion if the rest of the manufacturers got together and demanded the same autonomy.

Still, my feeling is that Samsung has probably coordinated with the carriers about more frequent security updates. I don't see any reason they would be resistant to the idea, since it's not all that m

Add to this locked bootloaders and then the second OS Baseband that's completely riddled with bugs and exploits. None of these phones are really secure, even Iphones. Every time I look at my phone I cringe. It annoys the crap out of me that I have no clue what its doing behind the scenes while on a mobile network.

The idea of using the vulnerability to patch the vulnerability comes up pretty regularly, but it's just too risky. The Android ecosystem is diverse, which means that the "patch attack" would have to be properly customized for every device (which also affects attackers, BTW), plus the fact that a non-trivial number of devices are rooted and modified by the users means that there is a subset of devices for which the patch attack cannot be properly customized. Screwing up a patch attack could brick devices, so